Two-Step Authentication

If you have ever watched the original Get Smart television series, you’ve seen in the opening credits how Agent 86 walks through a series of security doors before getting to a phone booth that descends to take him to headquarters. The series of doors reflect how secure the building is. I was reminded of this scene when Google introduced two-step verification for their apps this past week.

Two-step (or two-factor) authentication requires two things before you can gain access. The first step is the typical login name and password. The second step, in Google’s case, is a code – six digits – sent to your cell phone or generated by their app on your smartphone. Since only you should have access to your cell phone, even if a malicious site got a hold of your password, they would still not be able to gain access because they do not know the random code.

ShopSite has provided two-factor authentication since version 8.1. For merchants that store credit cards, two-factor authentication is one of the requirements for PCI compliance. Besides logging in with a username and password, ShopSite has a Merchant Key that needs to be uploaded (the second step) before you can view credit card information. The Merchant Key is an encrypted file that is stored locally on your computer or a memory stick. Without the key, ShopSite cannot decrypt the credit card data, so it is important to have a backup copy of the key stored on a CD or other device.

Besides making a merchant’s access to credit cards much more secure, the Merchant Key allows stores where multiple employees can log in the ability to restrict credit card information to only those employees that have been given the key. For example, an order fulfillment employee without access to the Merchant Key can log in to process an order, but cannot view the credit card information.

I have no doubt that two-step authentication is here to stay. And the more important the data, the more one needs this feature. It is an extra step, but that’s the way security works – the more security we have, the more inconvenient it becomes. At least we don’t (yet!) need to go through multiple doors and a phone booth like Maxwell Smart, Agent 86, had to!